It's rate limiting on key derivation attempts. A key is made via scrypt from the passphrase. A hash of this key is used as an authentication token to obtain a random token from the secure element for the final hardware-bound key derivation to use as an additional input. Passing the wrong authentication token results in rapidly increasingly throttling. We documented the previous less aggressive ramp up at https://grapheneos.org/faq#encryption but it actually ramps up a lot faster now to make 4 digit PINs less horrible, although we still strongly recommend 6 random digits as the minimum.

Secure element updates don't only need to have a valid signature and greater version. They also require the Owner user to authenticate successfully after booting in order for it to be accepted. This is what they refer to as insider attack resistance, since it protects against them being coerced by a government into removing the brute force protection for a locked device via an update.